Risk Management Report (continued) Technology & Cyber Risks Risk Response First line of defence: • The effective management of IT risks is essential for achieving strategic objectives and maintaining operational continuity. • Dedicated IT Security team is responsible for monitoring and reporting on cybersecurity risks. • IT Operations are responsible for capturing and tracking IT risks associated with core technology services, such as infrastructure risks, failure of the core IT system and cyber-attacks. Second line of defence: • An independent Chief Information Security Officer was appointed to oversee IT and cyber risk management. • A framework has been implemented to measure and monitor the technology and cyber risk profile, alongside the control environment. • Independent penetration testing and vulnerability assessments are carried out with support of external expertise. • Cybersecurity maturity is enhanced through the review of policies and implementation of tools, ensuring alignment with the Bank of Mauritius Guideline on Cyber and Technology Risk Management. • Regular training and awareness sessions are conducted, focusing on emerging trends in cyber-attacks & social engineering. • Due diligence and well-defined contracts are in place for third-party engagement. • IT and cyber security risks are independently tracked by the Risk Management team and reported to the Operational Risk Forum and Risk Management Committee. NON-FINANCIAL RISKS Potential disruptions from system failures and reliance on third-party technology. Cyber risk encompasses threats from attacks, data breaches, and employee misconduct. Operational Risks Risk Response Effective risk management programme: • An effective risk management programme was designed and rolled out, anchored in the three-lines-of-defence model. • Risks and controls are regularly updated as per the Risk Control Self-Assessment (‘RCSA’) approach. • Continuously optimise controls & risk mitigations for various operational risks in line with risk appetite and thresholds. • Strike the right balance of operational risk management to address key risks effectively while ensuring cost-effective measures. • Adopt a resilient approach for business processes to ensure sustained operations in the face of disruptions. Reporting and Oversight: • Non-financial risk policies and procedures are reviewed periodically in line with evolving business needs and environmental control. • Ensure timely incident reporting, oversight and independent monitoring by the risk team. • Periodic reports are provided to the Operational Risk Forum (‘ORF’) and to the Risk Management Committee (‘RMC’). NON-FINANCIAL RISKS Failures and resulting losses from inadequate internal processes, systems, or external events. 84
RkJQdWJsaXNoZXIy MzQ3MjQ5